2014 04-03 xyratex event

Secure Foundations: An SELinux Primer

Shawn Wells Director, Innovation Programs & Lead Developer, SCAP

20 MINUTES, 2 QUESTIONS

1.  How do we label data?

2.  How do we verify security compliance?

FIRST: An SELinux History Lesson

•  Originated from NSA R&D •  First release in December 2010

•  Integrated into mainline Linux in 2003

FIRST: An SELinux History Lesson

Exploit

Exploit

What An Attacker Can’t Do

•  Read/manipulate user data

•  Read/manipulate system files

•  Attack data/processes owned by other compartments (via polyinstantiation)

•  Attack other machines on the network, unless authorized to pass traffic on specific port

•  Evade audit subsystem

Role Based Access Control

SCAP Security Guide

SCAP HTML

OpenSCAP Firefox

CAPP: Users control who access’ their data RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”...) LSPP: Compartmentalizes users and applications from each other. Enables MLS.

Red Hat Enterprise Linux 6 with KVM

Red Hat Enterprise Linux 5.6 with KVM

IBM z/VM Version 5 Release 3 (for IBM System z Mainframes)

VMWare vSphere 5.0

VMWare ESXi 4.1

Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050

Certification Date

2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-15

2009-07-24

EAL Level EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO

RBAC YES YES NO NO NO NO

LSPP YES YES YES NO NO NO